vb.org Archive
Page 2 of 4 1 2 34
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vB4 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=251)
-   -   iframe injected into all templates (https://vborg.vbsupport.ru/showthread.php?t=301892)

ozzy47 09-04-2013 09:31 PM
Ouch, you need to find out how they got in.

Zachery 09-04-2013 09:32 PM
Delete your install directory

TheLastSuperman 09-04-2013 09:34 PM
Quote:
Originally Posted by dawges (Post 2443286)
Disabling Hooks does nothing, the iframe stays.



Superman I do not have vBSEO installed, However i will read the post you provided and report back.
If you had it in the past let us know, if you have never installed and used it then simply read my blog and run the queries listed from within phpmyadmin. If you are not the best at dealing with this type of stuff or using phpmyadmin then please post the results here and we'll try to assist you the best we can.

*Also who is your host? No name required I simply ask as some do backups free of charge some daily, some do hourly backups and they may have one handy and can simply restore the site to just before the time of being hacked - if that is the case you will lose all posts/info since said time but you'll go back to the point before infection where your safe to assume it's clean, then the objective at that time would be to rid yourself of any possible exploits such as removing the /install/ directory and checking for suspect file versions etc.

dawges 09-04-2013 09:36 PM
This username appeared 4 times in the admin group:

Th3H4ck

TheLastSuperman 09-04-2013 09:39 PM
Quote:
Originally Posted by dawges (Post 2443294)
This username appeared 4 times in the admin group:

Th3H4ck
Note the userid's of those 4 accounts, you may need them for reference later but as soon as you write them down delete those admin accounts and as Zachery noted then me as well, delete the /install/ directly immediately if its present.

*Stop for one second though and reply to my backup question above ^ Do you have a recent backup? If so its better to restore and nip any possible exploits in the bud. If no backups then continue on investigating and clearing out any malicious code/files/other.

Edit: I'm taking the family out to dinner but will check this when I return as I have work to do tonight regardless ;).

dawges 09-04-2013 09:39 PM
Quote:
Originally Posted by Zachery (Post 2443291)
Delete your install directory
Deleted the install directory but the iframe still remains. Also, i have no idea how i was hacked.

--------------- Added [DATE]1378338074[/DATE] at [TIME]1378338074[/TIME] ---------------

Quote:
Originally Posted by TheLastSuperman (Post 2443297)
Note the userid's of those 4 accounts, you may need them for reference later but as soon as you write them down delete those admin accounts and as Zachery noted then me as well, delete the /install/ directly immediately if its present.

*Stop for one second though and reply to my backup question above ^ Do you have a recent backup? If so its better to restore and nip any possible exploits in the bud. If no backups then continue on investigating and clearing out any malicious code/files/other.

Edit: I'm taking the family out to dinner but will check this when I return as I have work to do tonight regardless ;).
I do have backups provided by my host. However, they are probably to old. My forum is very busy. It really needs a daily backup.

snakes1100 09-04-2013 09:49 PM
You'll need to dig into the db, even though its a iframe, he could have it hidden in a base64 code thats decoding into the iframe.

This could be hidden in numerous tables of your db, datastore, plugins, styles etc.

dawges 09-04-2013 10:22 PM
Quote:
Originally Posted by snakes1100 (Post 2443301)
You'll need to dig into the db, even though its a iframe, he could have it hidden in a base64 code thats decoding into the iframe.

This could be hidden in numerous tables of your db, datastore, plugins, styles etc.
I just installed the admincp firewall from here to block unknown ip addresses. I also have changed all my passwords. Now I am searching folder by folder for unknown php files. I will report if i find the source.

snakes1100 09-04-2013 10:24 PM
I wasnt suggesting files, i suggested in your db.

ozzy47 09-04-2013 10:25 PM
You make sure there are no unknown files in your vBulletin directory. You can use Maintenance --> Diagnostic --> Suspect File Versions to find these.


All times are GMT. The time now is 07:54 AM.
Page 2 of 4 1 2 34
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01993 seconds
  • Memory Usage 1,738KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (5)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (3)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete